Import deployed resources into Infrastructure Manager

This tutorial demonstrates how to import Google Cloud resources into a Infrastructure Manager deployment. You can only import resources that were provisioned using Terraform.

If you have a Terraform configuration and have not yet deployed it on Google Cloud, then see deploy infrastructure using Infrastructure Manager .

This tutorial begins with deploying a Virtual Private Cloud (VPC) onto Google Cloud using the Terraform CLI. Then, this tutorial demonstrates how to import these deployed resources into Infrastructure Manager so that the resources can be managed as an Infrastructure Manager deployment.

You can use the example in this tutorial to understand how to import other Google Cloud resources into Infra Manager. To import the deployment into Infra Manager, the Terraform configuration used to provision the resources does need to comply with the constraints , and the resources need to have been provisioned using a supported Terraform version .

Costs

This tutorial uses the following billable components of Google Cloud:

Before you begin

If you don't already have one, sign up for a new account .

Install the Google Cloud CLI.

If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity .

To initialize the gcloud CLI, run the following command:

gcloud  
init

Create or select a Google Cloud project .

Create a Google Cloud project:
```
gcloud projects create PROJECT_ID 
```
Replace PROJECT_ID with a name for the Google Cloud project you are creating.
Select the Google Cloud project that you created:
```
gcloud config set project PROJECT_ID 
```
Replace PROJECT_ID with your Google Cloud project name.

Verify that billing is enabled for your Google Cloud project .

Enable the Infrastructure Manager API:

gcloud  
services  
 enable 
  
config.googleapis.com

Set up authentication:

Create the service account:
```
gcloud  
iam  
service-accounts  
create  
 SERVICE_ACCOUNT_NAME 
```
Replace SERVICE_ACCOUNT_NAME with a name for the service account.
Grant the roles/config.agent IAM role to the service account:
```
gcloud  
projects  
add-iam-policy-binding  
 PROJECT_ID 
  
--member = 
 "serviceAccount: SERVICE_ACCOUNT_NAME 
@ PROJECT_ID 
.iam.gserviceaccount.com" 
  
--role = 
roles/config.agent
```
Replace the following:
- SERVICE_ACCOUNT_NAME : the name of the service account
- PROJECT_ID : the project ID where you created the service account
Note : The --role flag affects which resources the service account can access in your project. You can revoke these roles or grant additional roles later.

Install the Google Cloud CLI.

If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity .

To initialize the gcloud CLI, run the following command:

gcloud  
init

Create or select a Google Cloud project .

Create a Google Cloud project:
```
gcloud projects create PROJECT_ID 
```
Replace PROJECT_ID with a name for the Google Cloud project you are creating.
Select the Google Cloud project that you created:
```
gcloud config set project PROJECT_ID 
```
Replace PROJECT_ID with your Google Cloud project name.

Verify that billing is enabled for your Google Cloud project .

Enable the Infrastructure Manager API:

gcloud  
services  
 enable 
  
config.googleapis.com

Set up authentication:

Create the service account:
```
gcloud  
iam  
service-accounts  
create  
 SERVICE_ACCOUNT_NAME 
```
Replace SERVICE_ACCOUNT_NAME with a name for the service account.
Grant the roles/config.agent IAM role to the service account:
```
gcloud  
projects  
add-iam-policy-binding  
 PROJECT_ID 
  
--member = 
 "serviceAccount: SERVICE_ACCOUNT_NAME 
@ PROJECT_ID 
.iam.gserviceaccount.com" 
  
--role = 
roles/config.agent
```
Replace the following:
- SERVICE_ACCOUNT_NAME : the name of the service account
- PROJECT_ID : the project ID where you created the service account
Note : The --role flag affects which resources the service account can access in your project. You can revoke these roles or grant additional roles later.

Install a supported version of Terraform .

Deploy resources to Google Cloud

The Google Cloud resource that you deploy in this tutorial is a VPC. This section shows you how to deploy the resource to use as an example for importing deployed resources into Infra Manager.

This tutorial uses the us-central1 region. If you want to use another region, then you can use any of the location where Infra Manager runs. See Infrastructure Manager locations for the list of valid locations.

Grant permissions for resources in the configuration

You have granted permissions needed to run Infra Manager, but you also need to grant permissions that are specific to the resources described in the configuration you are deploying.

Grant permissions to be able to create the VPC network, which is the resource defined in the Terraform configuration:

  gcloud 
  
 projects 
  
 add 
 - 
 iam 
 - 
 policy 
 - 
 binding 
  
  PROJECT_ID 
 
  
 \ 
  
 --member=serviceAccount: SERVICE_ACCOUNT_NAME 
@ PROJECT_ID 
.iam.gserviceaccount.com \ 
  
 --role=roles/compute.networkAdmin

Replace the following:

SERVICE_ACCOUNT_NAME : the name of the service account.
PROJECT_ID : your project ID.

Deploy resources using the Terraform CLI

Create a VPC network using the following Terraform configuration. To do so, run the following command:

  mkdir 
  
 vpc_to_import 
 cd 
  
 vpc_to_import 
 cat 
  
<< EOF 
 > 
 main 
 . 
 tf 
 variable 
  
 "project_id" 
  
 { 
  
 type 
  
 = 
  
 string 
 } 
 resource 
  
 "google_compute_network" 
  
 "vpc_network" 
  
 { 
  
 name 
  
 = 
  
 "my-custom-mode-network" 
  
 project 
  
 = 
  
 var 
 . 
 project_id 
 } 
 EOF

Deploy the configuration using the Terraform CLI using the following command:

  terraform 
  
 init 
 echo 
  
 "**************  TERRAFORM APPLY  ******************" 
 terraform 
  
 apply 
  
 - 
 var 
 = 
 "project_id= PROJECT_ID 
" 
  
 - 
 auto 
 - 
 approve 
 cd 
  
 ..

When the VPC is provisioned, you see output that begins with the text Creation complete .

The VPC that is defined in the Terraform configuration is now deployed on Google Cloud. Terraform creats a state file, and this file is on the file system next to the main.tf file.

Create a placeholder deployment in Infrastructure Manager

To import resources into Infra Manager, you need an existing deployment in Infra Manager.

This tutorial uses a storage bucket to store the Terraform configuration. If you are using this tutorial to understand how to import other deployments into Infra Manager, then you can store the Terraform configuration in a storage bucket, public Git repository, or on your local machine.

Add an empty Terraform configuration to the storage bucket:

 gcloud storage buckets create gs://import-deployment-configuration --project= PROJECT_ID 
mkdir placeholder_deployment
cd placeholder_deployment
cat <<EOF > main.tf
EOF

gcloud storage cp main.tf gs://import-deployment-configuration
cd ..

Create a deployment using Infra Manager.

 gcloud infra-manager deployments apply projects/ PROJECT_ID 
/locations/us-central1/deployments/import-deployment \
--gcs-source gs://import-deployment-configuration \
--input-values project_id= PROJECT_ID 
\
--service-account projects/ PROJECT_ID 
/serviceAccounts/ SERVICE_ACCOUNT

When the deployment is done, you see:

 Creating the deployment...done

You now have an Infra Manager deployment. Next, you need to add the state file and Terraform configuration to this deployment so that this deployment manages the VPC.

Import the state file and Terraform configuration

To manage the deployed resource (the VPC) using Infra Manager, you need to add the state file and the Terraform configuration to Infra Manager.

Lock the deployment

Lock the Infra Manager deployment so you can make changes to its state.

 LOCK_ID=$(gcloud infra-manager deployments lock projects/ PROJECT_ID 
/locations/us-central1/deployments/import-deployment --format="get(lockId)")

Import the Terraform state file into Infra Manager

Import the state file for your deployed resources. This state file was created by Terraform when you deployed the VPC using the Terraform CLI.

Upload the Terraform state file to the Infra Manager deployment.

  SIGNED_STATE_UPLOAD_URL 
 =$ 
 ( 
 gcloud 
  
 infra 
 - 
 manager 
  
 deployments 
  
 import 
 - 
 statefile 
  
 projects 
 / 
  PROJECT_ID 
 
 / 
 locations 
 / 
 us 
 - 
 central1 
 / 
 deployments 
 / 
 import 
 - 
 deployment 
  
 -- 
 lock 
 - 
 id 
  
 $ 
 { 
 LOCK_ID 
 } 
  
 -- 
 format 
 = 
 "get(signedUri)" 
 ) 
 cd 
  
 vpc_to_import 
 curl 
  
 - 
 s 
  
 - 
 X 
  
 PUT 
  
 -- 
 upload 
 - 
 file 
  
 terraform 
 . 
 tfstate 
  
 $ 
 SIGNED_STATE_UPLOAD_URL

Upload the Terraform configuration to the Cloud Storage bucket

Now that you have uploaded the Terraform state file, you also need to upload the Terraform configuration that you used to create the VPC network. Infra Manager needs the Terraform state file so that when a Infra Manager preview is run, it doesn't find any changes to the resources.

Upload the Terraform configuration to Cloud Storage using the following command:

 gcloud storage cp main.tf gs://import-deployment-configuration

Unlock the deployment

If you are using this tutorial to understand how to import any resources into Infra Manager, ensure that the state file and Terraform configuration don't have differences. If there are differences between the state file and the Terraform configuration, then ensure that the state file describes the resources that you want deployed. When you unlock the deployment, if there are differences between the state file and Terraform configuration, then when you unlock the deployment Infra Manager creates or deletes resources to match the state file.

You need to unlock the deployment to be able to manage the resources using Infra Manager. In this tutorial, the state file and Terraform configuration describe the same configuration, and so Infra Manager doesn't create or delete any resources.

Release the lock from the deployment by running the following.

 gcloud  
infra-manager  
deployments  
unlock  
projects/ PROJECT_ID 
/locations/us-central1/deployments/import-deployment  
\
--project  
 PROJECT_ID 
  
\
--location  
us-central1  
\
--lock-id  
 ${ 
 LOCK_ID 
 }

Now that the state file and Terraform configuration are added to your Infra Manager deployment, you have finished importing the deployed resources. The deployed VPC is now managed by Infra Manager.

Preview resource changes

Run a preview on the deployment to confirm that the Terraform state and the resources deployed on Google Cloud are in sync.

Create a preview using the following command:

  gcloud 
  
 infra 
 - 
 manager 
  
 previews 
  
 create 
  
 projects 
 / 
  PROJECT_ID 
 
 / 
 locations 
 / 
 us 
 - 
 central1 
 / 
 previews 
 / 
 import 
 - 
 deployment 
 - 
 preview 
  
 \ 
 --gcs-source gs://import-deployment-configuration \ 
 --input-values project_id= PROJECT_ID 
\ 
 --deployment projects/ PROJECT_ID 
/locations/us-central1/deployments/import-deployment \ 
 --service-account projects/ PROJECT_ID 
/serviceAccounts/ SERVICE_ACCOUNT_NAME 
@ PROJECT_ID 
. 
iam.gserviceaccount.com

Get preview details to make sure it has finished successfully.

 gcloud infra-manager previews describe projects/ PROJECT_ID 
/locations/us-central1/previews/import-deployment-preview

Export the preview to review changes.

  SIGNED_BIN_PLAN_URL 
 =$ 
 ( 
 gcloud 
  
 infra 
 - 
 manager 
  
 previews 
  
 export 
  
 projects 
 / 
  PROJECT_ID 
 
 / 
 locations 
 / 
 us 
 - 
 central1 
 / 
 previews 
 / 
 import 
 - 
 deployment 
 - 
 preview 
  
 -- 
 format 
  
 "get(result.binarySignedUri)" 
 ) 
 curl 
  
 - 
 X 
  
 GET 
  
 -- 
 output 
  
 tfplan 
 . 
 out 
  
 $ 
 SIGNED_BIN_PLAN_URL

Ensure the configuration is present locally and initialized with the following command:
```
 terraform init 
```
Run Terraform show to review changes between Infrastructure Manager deployment state and the configuration.
```
 terraform show tfplan.out 
```

If the VPC resource on Google Cloud and the state file are in sync, then terraform show outputs the following validating that Infrastructure Manager does not see any changes between deployment state and the configuration. You see an output similar to the following:

 No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

You have now imported the deployed resources so that they are managed by Infra Manager. For example, you can now use Infra Manager to update the deployment .

You can also update the deployment to validate that the deployment was successfully imported into Infra Manager.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.

Delete the project

Delete a Google Cloud project:

gcloud projects delete PROJECT_ID

Delete individual resources

Delete the VPC and the metadata about the deployment:

 gcloud infra-manager deployments delete projects/ PROJECT_ID 
/locations/us-central1/deployments/quickstart-deployment

What's next

Learn more about Terraform with Google Cloud .
Update a deployment .
View the state of a deployment .
View resources deployed .
Delete a deployment .